Skip to content

build(deps): bump the bundler group across 1 directory with 7 updates#2

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bundler/bundler-76e42d52ce
Closed

build(deps): bump the bundler group across 1 directory with 7 updates#2
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bundler/bundler-76e42d52ce

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github May 16, 2024

Bumps the bundler group with 3 updates in the / directory: rails, omniauth and rexml.

Updates rails from 7.1.3 to 7.1.3.1

Release notes

Sourced from rails's releases.

7.1.3.1

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

... (truncated)

Commits

Updates omniauth from 1.9.2 to 2.0.0

Release notes

Sourced from omniauth's releases.

v2.0.0

Version 2.0 of OmniAuth includes some changes that may be breaking depending on how you use OmniAuth in your app.

Many thanks to the folks who contributed in code and discussion for these changes.

OmniAuth now defaults to only POST as the allowed request_phase method.

Hopefully, you were already doing this as a result of the warnings due to CVE-2015-9284.
For detailed context, see:
#960
#809
Resolving CVE-2015-9284

This change also includes an additional configurable phase: request_validation_phase.

Rack/Sinatra

By default, this uses rack-protection's AuthenticityToken class to validate authenticity tokens. If you are using a rack based framework like sinatra, you can find an example of how to add authenticity tokens to your view here.

Rails

Because Rails handles its CSRF protection in its RequestForgeryProtection class, and stores tokens in a non-vanilla-rack friendly way, you must pass a rails-friendly validator in instead, similar to what omniauth-rails_csrf_protection does.

Update: omniauth-rails_csrf_protection has released v1.0.0, which means if you're using this library already, you should be able to upgrade omniauth to the 2.0 series as long as omniauth-rails_csrf_protection is also upgraded '~> 1.0'

An example of creating your own non-dependency implementation is below, though I would recommend using the gem.

# Derived from https://github.com/cookpad/omniauth-rails_csrf_protection/blob/master/lib/omniauth/rails_csrf_protection/token_verifier.rb
# This specific implementation has been pared down and should not be taken as the most correct way to do this.
class TokenVerifier
  include ActiveSupport::Configurable
  include ActionController::RequestForgeryProtection
def call(env)
@​request = ActionDispatch::Request.new(env.dup)
raise OmniAuth::AuthenticityError unless verified_request?
end
private
attr_reader :request
delegate :params, :session, to: :request
end
in an initializer
OmniAuth.config.request_validation_phase = TokenVerifier.new

Example Rails App

If you're using Rails' form helpers, they automatically include an authenticity token.

If you are using hyperlinks or buttons styled to redirect to your login route, you should update these to be a submit input or a submit type button wrapped in a form.

- <a href='/auth/developer'>Login with Developer</a>
</tr></table>

... (truncated)

Commits
  • 29c8216 Merge pull request #1021 from omniauth/2_0-indev
  • fe26931 Release 2.0.0
  • 8a6b7a6 Merge pull request #1016 from BobbyMcWho/add-to-readme
  • 19b3d34 Add v2.0.0 text
  • 97714aa Tag version
  • 1956a95 Fix deprecation warnings
  • 1b784ff Wrap mock_call in rescue
  • 49ca577 Merge pull request #1015 from omniauth/make-sure-strategy-passes-rack-freeze
  • e405613 Freeze omniauth in test to verify thread safety
  • d4c1ff0 Dup options when a strategy is dup'd or cloned
  • Additional commits viewable in compare view

Updates actionpack from 7.1.3 to 7.1.3.1

Release notes

Sourced from actionpack's releases.

7.1.3.1

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

... (truncated)

Changelog

Sourced from actionpack's changelog.

Rails 7.1.3.1 (February 21, 2024)

Commits

Updates nokogiri from 1.16.0 to 1.16.5

Release notes

Sourced from nokogiri's releases.

v1.16.5 / 2024-05-13

Security

Dependencies

sha256 checksums:

af0f44fa3e664dfb2aa10de8b551447d720c1e8d1f0aa3f35783dcc43e40a874  nokogiri-1.16.5-aarch64-linux.gem
23dc2357b26409a5c33b7e32a82902f0e9995305420f16d1a03ab3ea1a482fec  nokogiri-1.16.5-arm-linux.gem
950d037530edb49f75ad35de0b8038b970a7dda57e2b6326895b0e49fadf6214  nokogiri-1.16.5-arm64-darwin.gem
b7aefc94370c62476b8528e8d8abb6160203abd84a1f4eceda8f1aa8974d9989  nokogiri-1.16.5-java.gem
ec2167160df8fec3137bf95d574ed80ebc1d002bb3b281546b60b4aa9002466e  nokogiri-1.16.5-x64-mingw-ucrt.gem
6984200491fac69974005ecfa2de129d61843d345eafa5d6f58e8b908d1cf107  nokogiri-1.16.5-x64-mingw32.gem
abdc389ab1ec6604492da16bd9d06ad746fdb6bd6a1bd274c400d61ffcadb3c4  nokogiri-1.16.5-x86-linux.gem
63d24981345856f2baf7f4089870a62d3042fb8d3021b280fb04fc052532e3c4  nokogiri-1.16.5-x86-mingw32.gem
71b5f54e378c433d13df67c3b71acc4716129da62402d8181f310c4216a63279  nokogiri-1.16.5-x86_64-darwin.gem
0ca238da870066bed2f7837af6f35791bb9b76c4c5638999c46aac44818a6a97  nokogiri-1.16.5-x86_64-linux.gem
ec36162c68984fa0a90a5c4ae7ab7759460639e716cc1ce75f34c3cb54158ad2  nokogiri-1.16.5.gem

v1.16.4 / 2024-04-10

Dependencies

  • [CRuby] Vendored zlib in the precompiled native gems is updated to v1.3.1 from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see this discussion about removing the compression libraries altogether in a future version of Nokogiri.

sha256 checksums:

bdb1dc4378ebcf3ade8f440c7df68f6d76946a1a96c4823a2b4c53c01a320cd5  nokogiri-1.16.4-aarch64-linux.gem
0c994b9996d5576eddcc3201a94ef2bff6fc3627c4ae4d2708b0ec9b9743ec6a  nokogiri-1.16.4-arm-linux.gem
8e86abb64c93c06d3c588042a0e757279e8f1dc88b5210a00be892a9a7a27196  nokogiri-1.16.4-arm64-darwin.gem
bf84fa28be4943692bd64772186e0832fb1061f80714ccb93e111e9d72b1cadc  nokogiri-1.16.4-java.gem
a46808467c1f63a2031e1ca0715cd5336bb4ec759e9c0e2f4c951c1cc30994ae  nokogiri-1.16.4-x64-mingw-ucrt.gem
4cdf64bc5e9443ec3e0b595347ecc8affe21968d9ae934c0825d26630ef96468  nokogiri-1.16.4-x64-mingw32.gem
d86d21bae47dd9f6f5223055e45d33fae08b0b89aad94cbc0ece4f4274fa7af5  nokogiri-1.16.4-x86-linux.gem
d488b872884844686780fda7cf5da44ee884d32faa713a55aeb4736d76718168  nokogiri-1.16.4-x86-mingw32.gem
a896e52a56951ffb0e6a9279afbf485d683e357a053d27f4cfcb2a73b0824628  nokogiri-1.16.4-x86_64-darwin.gem
92ff4f09910255fec84b3bc4c4b182e94cada3ed12b9f7a6ea058e0af186fb31  nokogiri-1.16.4-x86_64-linux.gem
</tr></table>

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.16.5

Security

Dependencies

v1.16.4 / 2024-04-10

Dependencies

  • [CRuby] Vendored zlib in the precompiled native gems is updated to v1.3.1 from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see this discussion about removing the compression libraries altogether in a future version of Nokogiri.

v1.16.3 / 2024-03-15

Dependencies

Changed

  • [CRuby] XML::Reader sets the @encoding instance variable during reading if it is not passed into the initializer. Previously, it would remain nil. The behavior of Reader#encoding has not changed. This works around changes to how libxml2 reports the encoding used in v2.12.6.

v1.16.2 / 2024-02-04

Security

Dependencies

v1.16.1 / 2024-02-03

Dependencies

... (truncated)

Commits

Updates rack from 2.2.8 to 2.2.9

Release notes

Sourced from rack's releases.

v2.2.8.1

What's Changed

Full Changelog: rack/rack@v2.2.8...v2.2.8.1

Commits

Updates rdoc from 6.6.2 to 6.6.3.1

Commits

Updates rexml from 3.2.6 to 3.2.8

Release notes

Sourced from rexml's releases.

REXML 3.2.8 - 2024-05-16

Fixes

  • Suppressed a warning

REXML 3.2.7 - 2024-05-16

Improvements

Fixes

  • XPath: Fixed a bug of normalize_space(array).

  • XPath: Fixed a bug that wrong position is used with nested path.

    • GH-110

    • GH-122

    • Reported by jcavalieri.

    • Patch by NAITOH Jun.

  • Fixed a bug that an exception message can't be generated for invalid encoding XML.

... (truncated)

Changelog

Sourced from rexml's changelog.

3.2.8 - 2024-05-16 {#version-3-2-8}

Fixes

  • Suppressed a warning

3.2.7 - 2024-05-16 {#version-3-2-7}

Improvements

Fixes

  • XPath: Fixed a bug of normalize_space(array).

  • XPath: Fixed a bug that wrong position is used with nested path.

    • GH-110

    • GH-122

    • Reported by jcavalieri.

    • Patch by NAITOH Jun.

  • Fixed a bug that an exception message can't be generated for

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump the bundler group across 1 directory with 7 updates
7fd6e5c 
Bumps the bundler group with 3 updates in the / directory: [rails](https://github.com/rails/rails), [omniauth](https://github.com/omniauth/omniauth) and [rexml](https://github.com/ruby/rexml).


Updates `rails` from 7.1.3 to 7.1.3.1
- [Release notes](https://github.com/rails/rails/releases)
- [Commits](rails/rails@v7.1.3...v7.1.3.1)

Updates `omniauth` from 1.9.2 to 2.0.0
- [Release notes](https://github.com/omniauth/omniauth/releases)
- [Commits](omniauth/omniauth@v1.9.2...v2.0.0)

Updates `actionpack` from 7.1.3 to 7.1.3.1
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v7.1.3.3/actionpack/CHANGELOG.md)
- [Commits](rails/rails@v7.1.3...v7.1.3.1)

Updates `nokogiri` from 1.16.0 to 1.16.5
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.16.0...v1.16.5)

Updates `rack` from 2.2.8 to 2.2.9
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/main/CHANGELOG.md)
- [Commits](rack/rack@v2.2.8...v2.2.9)

Updates `rdoc` from 6.6.2 to 6.6.3.1
- [Release notes](https://github.com/ruby/rdoc/releases)
- [Changelog](https://github.com/ruby/rdoc/blob/master/History.rdoc)
- [Commits](ruby/rdoc@v6.6.2...v6.6.3.1)

Updates `rexml` from 3.2.6 to 3.2.8
- [Release notes](https://github.com/ruby/rexml/releases)
- [Changelog](https://github.com/ruby/rexml/blob/master/NEWS.md)
- [Commits](ruby/rexml@v3.2.6...v3.2.8)

---
updated-dependencies:
- dependency-name: rails
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: omniauth
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: actionpack
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: nokogiri
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: rack
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: rdoc
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: rexml
  dependency-type: indirect
  dependency-group: bundler
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label May 16, 2024
@dependabot dependabot Bot mentioned this pull request May 16, 2024
Closed
@dependabot @github
Copy link
Copy Markdown
Author

dependabot Bot commented on behalf of github Jun 3, 2024

Superseded by #3.

@dependabot dependabot Bot closed this Jun 3, 2024
@dependabot dependabot Bot deleted the dependabot/bundler/bundler-76e42d52ce branch June 3, 2024 17:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants